Exploiting Silence: 0-Click System Crashes via UDP in Windows Deployment Services

-


A newly uncovered vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise systems to a severe zero-click denial-of-service (DoS) attack that can be executed remotely—without authentication or user interaction.

The flaw targets the UDP-based TFTP service running on port 69, which is central to WDS’s PXE boot functionality used for deploying operating systems over the network. Exploiting this weakness, an attacker can crash a vulnerable server in minutes, posing a serious risk to organizations relying on WDS for streamlined operating system rollouts.


How the Vulnerability Works

Discovered by security researcher Zhiniang Peng, the vulnerability stems from how WDS handles incoming TFTP (Trivial File Transfer Protocol) sessions. When a connection request is received, WDS creates a CTftpSession object via the function wdstftp!CClientContext::OnConnectionRequest. However, there’s a fundamental flaw: no limits are enforced on the number of sessions the server can spawn.

By sending a flood of spoofed UDP packets with randomized source IPs and ports, attackers can rapidly exhaust system memory. UDP, being connectionless, does not validate packet origins, making it trivial to fake traffic. This allows an attacker to create thousands of phantom sessions without ever being traced or authenticated.

“The core issue is that EndpointSessionMapEntry imposes no limit on the number of sessions. Consequently, an attacker can forge fake client IP addresses and port numbers, repeatedly creating new sessions until system resources are exhausted,” Peng explains.


Proof-of-Concept: From Packet Flood to Server Crash in Minutes

In a test environment running Windows Server Insider Preview with 8GB RAM, Peng demonstrated that the attack could consume 15GB of memory in just 7 minutes, ultimately crashing the server.

The technique requires only a basic Linux environment and a script to generate spoofed UDP packets—no advanced skills or access rights are needed. According to Peng, leveraging multithreading would further accelerate the impact.


Why This Matters

Windows Deployment Services is widely used across corporate networks, data centers, and educational institutions for remote OS installations. A successful exploit could paralyze an entire PXE infrastructure, preventing devices from booting and disrupting IT operations at scale.

The stealthy nature of the attack—no authentication, no interaction, and difficult packet attribution—makes traditional defense mechanisms such as antivirus or endpoint protection ineffective.

No Patch from Microsoft — Yet

Despite the critical nature of this vulnerability, Microsoft has not released a patch. Peng warns that, even in the absence of remote code execution, the vulnerability remains a high-impact DoS flaw that can bring down key infrastructure remotely.

This isn’t the first WDS vulnerability to surface—CVE-2019-0603, a remote code execution flaw, was patched in March 2019. However, this new issue remains unaddressed, increasing the pressure on IT administrators to act.

What Can You Do?

Until Microsoft responds, mitigation options are limited. Organizations are advised to:

  • Restrict external access to UDP port 69 using firewalls or VLAN segmentation.

  • Consider disabling WDS TFTP services if not in use, or limit usage to isolated environments.

  • Explore alternative deployment methods, such as SCCM with HTTPS or modern endpoint management platforms.

  • Implement network-based rate-limiting where possible to slow down potential floods.


This vulnerability underscores the inherent risks in legacy, unauthenticated protocols like TFTP, especially in critical infrastructure like OS deployment systems. Organizations using WDS should immediately assess their exposure, implement network-level defenses, and prepare for possible disruption—especially since the attack vector is simple, effective, and currently unpatched. 

Comments

Post a Comment

Popular posts from this blog

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more